A proposal for founding mistrustful quantum cryptography on coin tossing 
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A significant branch of classical cryptography deals with the problems which arise when mis- 
trustful parties need to generate, process or exchange information. As Kilian showed a while ago, 
mistrustful classical cryptography can be founded on a single protocol, oblivious transfer, from which 
general secure multi-party computations can be built. 

The scope of mistrustful quantum cryptography is limited by no-go theorems, which rule out, inter 
alia, unconditionally secure quantum protocols for oblivious transfer or general secure two-party 
computations. These theorems apply even to protocols which take relativistic signalling constraints 
into account. The best that can be hoped for, in general, are quantum protocols computationally 
secure against quantum attack. I describe here a method for building a classically certified bit 
commitment, and hence every other mistrustful cryptographic task, from a secure coin tossing 
protocol. No security proof is attempted, but I sketch reasons why these protocols might resist 
quantum computational attack. 



1 Present and permanent address 

I. INTRODUCTION 

Quantum computers pose a threat to most, if not 
all, standard classical cryptographic schemes. Typically, 
classical cryptosystems rely on the difficulty of factorisa- 
tion or equivalent tasks, which we know quantum com- 
puters can solve efficiently. Even classical protocols 
which rely on problems for which no efficient quantum 
algorithm is currently known are somewhat suspect at 
the moment, since the power of quantum computers is 
not well understood. 

Fortunately, for key distribution and a few other in- 
teresting cryptographic tasks, quantum cryptography of- 
fers a complete defence to the threat posed by quantum 
computers — unconditionally secure quantum protocols, 
which are provably unbreakable by classical or quantum 
computers. Unfortunately, this is not true of a wide range 
of important cryptographic tasks that allow mistrustful 
parties to generate, process or exchange information with 
suitable security guarantees. No-go theorems show the 
impossibility of unconditionally secure non-relativistic 
quantum protocols for many of these tasks — for ex- 
ample, bit commitment [1-4,6], oblivious transfer and 
some secure two-party computations [7] . In the last two 
cases, these theorems apply also to protocols which take 
account of relativistic signalling constraints. 

Given that unconditional security is unattainable for 
these tasks, we have to fall back on weaker notions of 
security. One possible approach is to assume that that 
reliable bounds can be placed on the size of any quantum 
computer in the possession of an adversary, and to de- 
vise protocols which cannot be broken by quantum com- 
puters capable of manipulating no more than N qubits 



coherently [8]. However, it is hard to tell at the moment 
whether future technological developments will allow for 
any such bounds. It is also known that bit commitment 
protocols can be devised which are secure under the as- 
sumption that quantum one-way functions exist. [9] How- 
ever, identifying good candidate quantum one-way func- 
tions is itself a challenge. 

It would, at any rate, certainly be good to be able to re- 
turn to the "pre-quantum" state of affairs, replacing pro- 
tocols which offer computational security against classi- 
cal computers with protocols which offer credible compu- 
tational security against quantum computers. For exam- 
ple, since NP-complete problems are generally thought 
unlikely to be solvable by quantum computers in poly- 
nomial time one might hope to build protocols whose 
security relies on the difficulty of solving a particular in- 
stance of a problem whose general case is NP-completc. 
(An NP-complete problem has the property that every 
other problem in NP can be polynomially reduced to it: 
in other words it is at least as hard as any problem in 
NP.) 

But there is an obvious difficulty here. Mistrust- 
ful cryptographic problems require security against both 
parties. But if A proposes using a particular instance 
of a problem, B has no way of verifying for sure that 
the particular problem proposed genuinely is hard. It 
is presumably in A's interests to choose, if she can, an 
apparently hard problem with hidden structure, which is 
itself very hard to find, but which allows A to solve the 
problem easily. 

In this letter, I propose and briefly discuss a method 
which offers a possible way round this obstacle: using re- 
mote coin tossing — which we know can be implemented 
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with perfect security by using relativistic signalling con- 
straints, and with good computational security without 
making use of relativity — to allow mistrustful parties to 
generate random instances of hard problems. 

I focus on one particularly important protocol — clas- 
sically certified bit commitment. In a classically certi- 
fied bit commitment protocol, B is guaranteed that A is 
committed to some fixed classical bit value, or 1: the 
possibility that A's bit commitment is described, until 
unveiling, by a quantum mixture of and 1 can be ex- 
cluded. Classically certified bit commitment is stronger 
than ordinary bit commitment in the quantum realm, 
and cannot be implemented with unconditional security 
even by quantum protocols which take account of rela- 
tivistic signalling constraints [10]. 

It is known [11,12] that secure oblivious transfer and, 
hence, general secure multi-party computation can be im- 
plemented by quantum information exchanges, given a 
secure classically certified bit commitment protocol. 



II. REMOTE COIN TOSSING 

A remote coin tossing protocol was originally defined 
[13] as a protocol that allows two mistrustful parties, A 
and B, to generate a random bit, in such a way that 
each has confidence that, so long as they behave honestly 
(whether or not the other party did), the resulting bit b 
is genuinely random. In fact, as Mayers et al. pointed 
out [14], this seemingly straightforward definition hides 
a subtlety. A coin tossing protocol could fail to generate 
any bit, if one of the parties chooses to abort the protocol 
before it is complete. A cheating party might preferen- 
tially tend to abort if the output bit appears likely to 
take the value disfavoured by that party. 

To allow for this possibility, we follow Mayers et al. 
[14] in defining a secure coin tossing protocol to be one 
which guarantees the following. First, if both parties 
are honest, then Prob(fe = 0) = Prob(6 = 1) = 1/2. 
Second, if one party is honest, then, whatever strategy 
the dishonest party uses, Prob(6 = 0) < 1/2 + e and 
Prob(6 = 1) < 1/2 + e. An ideal coin tossing protocol 
guarantees this with e = 0. A secure coin tossing proto- 
col need not be ideal, so long as it contains parameters 
which can be chosen so as to make e as small as desired. 

Coin tossing is known to be strictly weaker than bit 
commitment in non-relativistic classical and quantum 
cryptography. The reason is that any secure bit com- 
mitment protocol can be used for secure coin tossing: A 
commits a random bit a to B; B returns a random bit 
b; A then unveils a and they take a © & as the coin toss 
outcome. On the other hand, it is impossible to build 
a secure non-relativistic classical or quantum bit com- 
mitment protocol using a black box for secure ideal coin 
tossing. [15] 



A simple unconditionally secure ideal coin tossing pro- 
tocol can be defined by using relativistic signalling con- 
straints. Fix some inertial coordinates, agreed by A and 
B. Suppose A controls sites A\ and A2, and B controls 
sites B\ and B2, such that A\ and B\ are within distance 
S of some agreed point P\ and A 2 and B 2 are within dis- 
tance 5 of some agreed point P 2 , where P\ and P 2 are 
separated by d 3> S. Fix also some time t agreed by A 
and B. At time t, A\ sends a random bit a as a classical 
signal, to be received by B\\ at the same time, B 2 sends 
a random bit b as a classical signal, to be received by A 2 . 
A and B accept these signals as valid implementations 
of the protocol provided they are received (by B\ and 
A 2 respectively), by time t + 26. They then take a © b as 
the coin toss outcome. Each party is guaranteed that the 
outcome is randomly generated, so long as they receive 
the other party's bit at a point outside the future light 
cone of the point from which their own was transmitted, 
and regardless of whether the other party's chosen bit 
was genuinely random. 

Relativistic coin tossing at a high bit rate is emi- 
nently practical, but will not work if the parties are un- 
able or unwilling to arrange to control suitably adjacent 
separated sites. Strangers communicating by phone or 
over the internet, for instance, are likely to need a non- 
relativistic protocol if they urgently need to generate 
random bits. Unfortunately, no unconditionally secure 
non-relativistic classical coin tossing protocol exists. It 
is claimed [5] that one can demonstrate that no uncon- 
ditionally secure non-relativistic quantum coin tossing 
protocols exist: to the best of my knowledge, no writ- 
ten proof has as yet been circulated. It is known that 
unconditionally secure ideal quantum coin tossing is im- 
possible. [6] 

Another approach to secure coin tossing is to build 
a coin tossing protocol from a bit commitment protocol 
which A and B trust to be temporarily computationally 
secure. They can then use these temporarily secure bit 
commitments to implement computationally secure coin 
tossings, using the construction described above — so 
long as the bit commitment is trusted to be secure for as 
long as it takes to exchange messages. 

Even in a future world where large quantum computers 
are commonplace, it might be reasonable to have great 
confidence in the temporary security — for, say, a few 
seconds — of standard classical bit commitments. Essen- 
tially, this requires problems which, one can be confident, 
take considerably longer to solve than to state and com- 
municate. Problems which are only polynomially hard 
for quantum computers, such as factorisation, might well 
suffice. 

If temporarily secure bit commitments are used, the 
protocols below effectively define a form of bootstrap- 
ping, in which bit commitments that are (plausibly) com- 
putationally secure for a very long time are built from 
secure coin tossings, which themselves are built on bit 
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commitments that are computationally secure only for a 
relatively short time. 

In any case, in the rest of this paper it is assumed that 
some trusted secure remote coin tossing method is avail- 
able to A and B. This could be the relativistic scheme 
described above, a scheme that is trusted to be computa- 
tionally secure, or an (as yet undiscovered) uncondition- 
ally secure quantum coin tossing scheme that does not 
rely on relativistic signalling constraints — or any other 
scheme whose security can be trusted. Whichever, we 
assume that the security of the scheme extends to mul- 
tiple coin tosses, in the sense that the participants can 
trust that implementing the scheme N times is approxi- 
mately equivalent to sampling TV independent and iden- 
tically distributed random variables, each corresponding 
to a fair coin. 



III. A STRATEGY FOR DERIVING BIT 
COMMITMENT FROM COIN TOSSING 

Abstractly, the basic idea is this. A and B identify 
some suitable graded class C = ® n >oC n of mathematical 
objects with the property that there is some increasing 
function f(n) such that the members of C n can be identi- 
fied by f(ri) bits. They also identify a class D = ® n >oD n 
of mathematical objects, with a relation — > defining a 
subset of D x C: we say d <E D is associated to c 6 C if 
d — > c. Before implementing the protocol, they will agree 
on security parameters m and n, and on bit string rep- 
resentations for the members of C m and D n . They then 
carry out 2/(m) secure coin tossings, which they use to 
generate two randomly chosen elements cq and ci of C m . 

To commit to a bit a, A should then randomly choose 
a member d of D n such that d — ► c a , and sends the bit 
string representation of d to B. To unveil the bit a, A 
sends B a description of d and a proof that d — > c a . 

Several things are required for this to define a compu- 
tationally secure bit commitment protocol. 

First, it must be hard for A to identify any elements 
d such that d — > c and d — > Ci, and such that she has 
any significant chance of being in a position to prove 
whichever of these results she chooses at the time of un- 
veiling. This must be true whether or not her choice of d 
is in fact random. One way of ensuring this would be to 
ensure that the probability of her, at commitment, being 
able to choose any d associated with both c a is very low 
or zero. Another would be to ensure that, whatever strat- 
egy she uses to choose d initially, and whatever strategy 
she follows during the protocol, her chances — call them 
Po and p\ — of generating proofs that d — > c and d — > c\ 
during the protocol, obey p a < P a , where the numbers 
P a are fixed by her initial strategy in choosing d, and 
where they obey Po + Pi < 1 + e , f° r some suitably small 
value of the security parameter e. 



Second, it must be hard for B, given a randomly cho- 
sen d — > c a , to obtain significant information during the 
protocol about whether d is likelier to be associated with 
c a or c a . 

Finally, for the protocol to be practical, it must be easy 
for A to choose random members of D n that are associ- 
ated to a randomly chosen c a , by a method which easily 
generates a proof of the association. Also, the proof itself 
must be easy to communicate. 

IV. BIT COMMITMENT FROM COIN TOSSING: 
POSSIBLE IMPLEMENTATIONS 

A. Subgraph isomorphism 

One possible implementation is given by creating ran- 
dom graphs on which A can define instances of the graph 
subisomorphism problem. Take C m and D n to be the sets 
of graphs with m and n vertices, respectively, with the 
relation d — > c if and only if d is a subgraph of c. 

With these definitions, and having agreed security pa- 
rameters to and n with to > n, A and B generate two 
random graphs in C m by carrying out m(m — 1) coin 
tosses, one for each pair of vertices, and including an 
edge (i, j) if and only if the corresponding coin toss has 
result 1. A can choose a random subgraph d E D n of 
either graph c a 6 C m by choosing a random size n sub- 
set I = {ii, . . . , in) of the vertices {1, . . . , to} of c a . (I 
is a random ordered set, i.e. the ordering of the ij is 
randomly chosen; in particular, thus, it is generally not 
numerical.) To send B a description of d, she sends the 
list {(k,l) : (ik,k) an edge of c a }. To prove to B that 
d — > c a , she simply lists the ordered subset, allowing B 
to check the above procedure has been followed. 

B. Subset sum 

Another implementation is given by generating ran- 
dom sets of positive integers on which A can define in- 
stances of subset sum problems, defined on sets of density 
close to 1. Take C m to be the class of sets of the form 
c = {ci, . . . , c m }, where the Cj are positive binary inte- 
gers of length < to. Let D n be the set of positive integers 
less than n2 n . Define the relation d — > c to hold if and 
only if there is a set of integers Xi G {0, 1} such that 
d = Z)» x i°i- 

With these definitions, having agreed a fixed n, A and 
B can use 2to 2 coin tosses to generate two independent 
random size to sets, c = {a°} and c\ = {a}}, using 
each coin toss to define a specified bit of a specified 
set element. A can then choose a random set of bits 
Xi G {0,1} and commit the bit a to B by sending the 
sum d = J2i c t x i- To prove to B that d — > c a , she simply 
sends an ordered list of the Xi. 
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C. Remark 

Other possible implementations could be based on ma- 
trix representability or other problems that are defined 
by probability distributions generated by finite strings of 
coin tosses and are known to be average case intractable. 
[16,17] 

V. SECURITY DISCUSSION 

Are these protocols computationally secure against 
quantum computers? Are they computationally secure 
even against classical computers? These are hard ques- 
tions. Proving affirmative answers would mean proving 
that {BQ)P ^ NP. And even assuming that P ^ NP 
and BQP ^ NP, conjectures which are widely believed, 
would not imply classical or quantum computational se- 
curity. I give here only a short illustrative list of security 
worries, folllowed by some reasons for thinking that the 
protocols might, nonetheless, be hard for quantum com- 
puters to break. 

A. Security worries 

Consider first security against classical computers. Re- 
call that both the subgraph isomorphism and subset sum 
problems are NP-complete. (See for example Rcf. [18].) 
Let us assume that, as is widely believed, P^NP. If so, 
and if B's task were to decide whether a graph d was iso- 
morphic to a subgraph of a graph c, or whether an integer 
d could be written as a binary sum J2i x i°i °f knapsack 
elements, then it would be impossible to find an algo- 
rithm that solved all such problems in a time polynomial 
in the problem parameters. 

B's task is slightly different, though. He has to de- 
cide whether a graph d is isomorphic to a subgraph of 
graphs c or c\, or whether an integer d is a subset sum 
from the set cq or c\, knowing that one or the other is 
the case. It seems unlikely that this decision problem 
is substantially easier than the subgraph isomorphism or 
subset sum problems in worst case, since it is hard to 
see how to address the first except by trying to solve the 
second for each of Co and c\. But I know no theorem 
showing that even these slightly modified problems are 
still NP-complctc. 

An NP-completeness result would anyway not suffice. 
B needs to solve average case, not worst case, instances. 
So the case for security against B relics on the belief 
that subset sum, subgraph isomorphism, or whatever 
randomly generated problem is chosen, is average case 
hard. 

Provably average case complete problems, which could 
be used in the protocols above, are known [16,17]. It is 



also believed that subset sum is average case hard, for 
appropriate parameter choices [19]. However — another 
potential concern — these average case results and con- 
jectures apply to problem instances chosen from different 
probability distributions from ours. Normally, when the 
average case of a decision problem — in our notation: is 
d — > c? — is considered, one assumes that c and d are 
independently randomly generated, with suitable proba- 
bility distributions. Here, we have three structures, Co, c\ 
and d, and while Co and c\ are independently randomly 
generated in a standard way, d is not. To ensure that 
d — > c or d — > ci, and that A knows which, we required 
that A use some random algorithm which takes the de- 
scription of c a — for her choice of a — and constructs a 
d such that d — > c a . We need it to be hard for B to solve 
the decision problem, for a random instance, even if he 
knows the random algorithm which A uses to define d. (If 
security were to rely on A keeping the algorithm secret, 
and not just its random input, we would not have a com- 
pletely defined protocol. Any published rules which told 
A exactly how to implement the protocol would allow B 
to break it.) 

Obviously, the concerns listed above are still more of 
a worry when considering quantum attacks, since quan- 
tum computers are for some purposes more powerful than 
classical computers, and since quantum complexity is less 
well understood than classical complexity. 



B. Why might one nonetheless hope the protocols 
are secure? 

The case for security, such as it is, begins from the 
widely shared belief that there is no quantum algorithm 
capable of solving the general case of an NP-complctc 
problem in polynomial time. A commonly cited (e.g. 
Ref. [20]) reason for this belief is that NP-complete prob- 
lems, such as subgraph isomorphism or subset sum, are 
effectively as hard as searching for a particular entry in 
a database whose size grows exponentially in the length 
of the problem description. The reasoning here is that, 
if one wants to decide, for instance, whether a size n 
graph H is a subgraph of a size m graph G, there may be 
no algorithm substantially better than searching through 
au tnc { m m n)\n\ subgraphs of G and seeing whether H 
matches any of them — the argument being that algo- 
rithms which are substantially more efficient than brute 
force need some mathematical structure to work with, 
and this type of problem just has too little structure to 
allow such algorithms. 

This intuition could, of course, be wrong. If it were 
right, though, it would mean that efficient quantum al- 
gorithms for NP-complete problems could, indeed, be ex- 
cluded, since we know that the quantum algorithms can 
give only a square-root speed-up for database search. [21] 
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Suppose the intuition is right. It is tempting to take it 
somewhat further. One might speculate that B's prob- 
lem — searching for a randomly chosen subgraph of one 
of two random graphs — is also not substantially easier 
than a database search, when m and n are suitably re- 
lated and to is large. Similarly, one might speculate that 
the problem facing a dishonest A — finding a common 
subgraph of two random graphs — is not substantially 
easier than finding collisions of a random two- to-one func- 
tion, a generalised search problem which is also suspected 
(though not proven) to be hard for quantum computers. 
If so — if, in the end, the lack of mathematical structure 
in each of these problems allows them to resist quantum 
attack — then the protocols would indeed be secure. 



VI. CONCLUSIONS 

The ideas above suggest a possible way forward in de- 
veloping "quantum-immune" protocols for general mis- 
trustful cryptographic tasks. More immediately, they 
add to the motivation for extending the folk wisdom 
about — or rigorous bounds on — the power of quantum 
computing. Can we find good reasons for extending the 
intuition that quantum computers cannot break general 
case NP-complete problems to average case instances? 
Can we extend those intuitions further to collision-type 
problems such as identifying a common subgraph of ran- 
dom graphs? Or, conversely, and against expectation, 
could there be reasons to believe that quantum attacks 
may indeed be effective in these last two cases? 
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